Last month DHS published [Link added 4-10-21 1422 EDT] a 60-day information collection
request (ICR) notice to support the expansion of their Vulnerability Discovery
program (VDP) to other agencies in the federal government. This post is
(maybe?) part of a series of posts that looks at public comments submitted in
response to that ICR. The end of the comment period is May 18th,

To date there are two public responses to that ICR notice.
One, of course, is from
my blog post
[.PDF download link], the other is from Andrew Hunt. Along
with a brief
, Hunt provides a marked-up
[.PDF download link] of the 60-day ICR notice, clarifying the changes
that he suggests.

Hunt suggests:

“Overall, shift language from ‘all
agencies with their web forms’ to ‘DHS CISA centralized reporting’. They have
the expertise to collect this sensitive information, secure it appropriately,
disseminate appropriately, and engage agencies to remediate their exposures.
Review ‘lawful method to practice…discover new vulnerabilities’ language if
that is not intended to provide safe harbor protections to hackers. Remove
references to ‘Solarwinds Hack’ and replace with codenames (e.g. SunBurst,
SunShuttle) or descriptions to reduce liability of brand damage to the
Solarwinds company as it is trying to recover from this truly terrible attack.
Reword the definition of a ‘vulnerability’ as more to do with redirection of
expected execution and behavior rather than controls bypass. A vulnerability
can exist without a defined/intended control.”

He makes the following additional points in the marked-up

• Controls are not always defined
before being vulnerable. A better definition: ‘coerces hardware/software to
execute or behave in unintended ways from the design’.

• “… lawful method to practice and discover
new cyber methods to discover the vulnerabilities….” CLARIFY: this sounds like
a safe-harbor statement for hackers.

• If you do not guarantee
confidentiality, then no one will play with you. Exempt this from FOIA.

• Use one site, done right,
secured, and managed by those with the experience to do so. Remediation of
vulnerabilities are notified, then managed by CISA. Agencies follow CISA
direction to properly mitigate the vulnerability.


While Hunt’s comments are brief he brings up some
interesting points. First, his suggestion that DHS run a centralized VDP meshes
well with my observations about the requirements of 44
USC 3509
. The more interesting point, however, is his take on the
definition of ‘security vulnerabilities’ used in the ICR notice. That
definition comes from 6
USC 1501
(17) and it reads:

“The term “security
vulnerability” means any attribute of hardware, software, process, or
procedure that could enable or facilitate the defeat of a security control.”

Hunt makes the point that: “Controls are not always defined
before being vulnerable. A better definition: ‘coerces hardware/software to
execute or behave in unintended ways from the design’.” Playing with Hunt’s
comments just a bit, I would like to offer this formal version of Hunt’s

“The term “security
vulnerability” means any attribute of hardware, software, process or procedure
that would allow or cause that hardware, software, process or procedure to
execute or perform in an unintended way from the design.”

Unfortunately, an ICR is not the appropriate vehicle for
changing a regulatory definition. DHS is not, however, required to utilize the
definition from §1501 in this ICR. They could instead use my formal definition
above, substituting “Security vulnerabilities may be defined as” for the first
five words of the revised definition.

His comment about removing the SolarWinds name from discussion
in the ‘Supplementary Information’ portion of the Notice brings up an
interesting point. While I personally do not care much about wounded corporate
egos, DHS is not responding to the vulnerabilities in the SolarWind products
(that is the sole responsibility of the company), they are responding to the
effects of the attacks wrought by SunBurst, SunShuttle etc. Thus, naming them
rather than SolarWinds is probably more appropriate.

Finally, I am not sure that I agree with his FOIA comment.
Researchers have no need to ‘protect’ their discovery of vulnerabilities.
Vendor and agency developers might, but their response is not the subject of
the ICR. There would certainly be some justification for restricting access to
the vulnerability information pending mitigation actions. Reported vulnerabilities
should probably be protected as sensitive but unclassified information pending
mitigation development.

By admin